1. Field of the Invention
The present invention relates to recording media recording a network shutdown control program and network shutdown devices, and more particularly, to a recording medium recording a network shutdown control program for controlling shutdown of communications of network segments under management and for quarantining, if necessary, a network segment from the network, and a network shutdown device for performing such control operations.
2. Description of the Related Art
With the recent expansion of networks due to the diffusion of the Internet, for example, an increasing number of computer viruses have been spreading via networks, causing extensive damage.
Among such computer viruses, a type called worm, in particular, moves from computer to computer and successively infects computers connected by a network while self-replicating. A worm self-replicates and spreads at extremely high speed and causes a great deal of traffic in the process of spreading. Consequently, heavy loads are imposed on networks, sometimes making the networks paralyzed. Also, a worm infects computers one after another, and accordingly, once a worm spreads, it is not possible to avoid damage by just finding the computers infected with the worm and removing the worm. It is therefore essential to monitor traffic at the border of a network to detect incoming worms and prevent the invasion of such worms.
In a conventional worm discrimination device, packets transmitted over a communication path connecting internal and external networks are monitored to acquire, for example, information on the amount of packets and destination addresses, the acquired information is analyzed by using preset criteria to determine whether a worm is contained or not, and if a worm is detected, communication with the network with respect to which the worm attack has been detected is shut off to prevent infection (e.g., Unexamined Japanese Patent Publication No. 2005-134974 (cf. paragraph nos. [0045] through [0099], FIG. 2)).
A network shutdown system has also been proposed wherein, on detection of an attacking computer making an attack such as a worm attack or an attacking network to which the attacking computer is connected, communication between the network under management and the attacking network or computer is shut off even if the managed network is actually not under attack (e.g., Unexamined Japanese Patent Publication No. 2005-12606 (cf. paragraph nos. [0019] to [0022], FIG. 1)).
In the conventional network shutdown system, however, when an attack is detected, only the communication with a network segment with respect to which the attack has been detected is shut off. Accordingly, the conventional system is unable to effectively prevent attacks, such as worm attacks, which cause widespread damage in a manner such that an infected computer repeats an attack while randomly changing addresses and that a secondarily infected computer also acts as an attacking computer.
The objective of the conventional technique disclosed in the aforementioned Unexamined Japanese Patent Publication No. 2005-134974 (paragraph nos. [0045] through [0099], FIG. 2) is to protect the internal networks against attacks from external networks. When an attack from an external network is detected, those networks which have not yet detected the attack are also notified of the attack so that the networks may be shut down in advance and thus protected from the attack. On the other hand, when an attack from an internal network to an external network is detected, only the communication with the network with respect to which the attack has been detected is shut off. Accordingly, in cases where an attacking computer as well as secondarily infected computers continue attacking, like worm attacks, worm infection cannot be prevented with the conventional technique.
Further, the conventional shutdown notification simply demands execution of shutdown, and upon receiving the notification, the network shutdown device unconditionally executes shutdown. Thus, in cases where the shutdown notification is generated as a result of erroneous detection even though there is no attack in actuality, a problem arises in that it is impossible to prevent the shutdown of networks which are not under attack.